DHCP snooping is critical when using device sensors built into the switch for profiling with Cisco ISE. Setting up DHCP snooping allows the switch to collect DHCP information on endpoints which can then be forwarded to ISE in RADIUS accounting packets. DHCP snooping also allows you to configure the switch to only allow DHCP from a trusted source interface. If someone plugs a DHCP server into an untrusted port, all of those DHCP packets are automatically dropped.
In order to allow DHCP to work properly after enabling DHCP snooping, the access switch uplink port is configured as a trusted interface. This is accomplished by adding “ip dhcp snooping trust” to the port configuration. A recent deployment I had involved a stack of switches with two uplink ports configured in a port channel. After applying my template to the switch, and configuring both uplink ports as trusted interfaces, we noticed endpoints were having DHCP issues. The endpoints would repeatedly receive an IP address and lose the IP address several times in a row. Some endpoints would eventually retain the IP address but others would either continue the cycle or not receive an IP address at all.
I checked the configuration against the test switch (always have a test switch!) and couldn’t find any difference in the commands applied from my template. The only real difference was 1) this was a stack versus a single switch and 2) the stack had uplink ports configured in a port channel. I decided to try removing the “ip dhcp snooping trust” command from the individual uplink ports and adding it to the port channel interface configuration.
Several endpoints (desktops, IP phones, etc.) were restarted to verify DHCP was working properly again. Success! All endpoints were now receiving and retaining IP addresses via DHCP.
For more information about what DHCP snooping is, check out DHCP Snooping section of the Cisco Catalyst 3750-X and Catalyst 3560-X Switch Software Configuration Guide.